Security researchers have identified an active phishing campaign that exploits Microsoft 365’s “Direct Send” feature to bypass email security controls. This tactic allows attackers to deliver malicious emails that appear to originate from internal users. Continue reading this Cybersecurity Threat Advisory to understand the threat and how to protect your organization.
What is the threat?
Attackers are abusing Microsoft 365’s Direct Send feature—originally intended to allow applications and multifunction devices to send emails without authentication—to send phishing emails that appear to come from legitimate internal users. This method bypasses standard email authentication protocols such as SPF, DKIM, and DMARC.
The phishing emails contain malicious links that lead to fake Microsoft 365 login pages designed to steal user credentials. Once compromised, attackers can gain unauthorized access to sensitive data, initiate business email compromise (BEC), or move laterally within the network.
Why is it noteworthy?
This attack is particularly concerning due to several factors:
- Abuse of a Legitimate Feature: The attack leverages a built-in Microsoft 365 function, making it difficult to disable without disrupting business operations.
- No CVE Assigned: Since this is not a software vulnerability but a misuse of intended functionality, it lacks a CVE identifier, complicating tracking and remediation.
- Bypasses Email Security: Traditional email defenses relying on SPF, DKIM, and DMARC are ineffective against this tactic.
- Internal Sender Spoofing: Emails appear to come from trusted internal sources, increasing the likelihood of user interaction.
- Widespread Exposure: Any organization using Direct Send is potentially at risk.
What is the exposure or risk?
Organizations using Microsoft 365 face significant risks from this attack technique, including user credential theft, unauthorized access, data exfiltration, business email compromise (BEC), and potential lateral movement within the organization. These risks can lead to serious consequences such as financial fraud, reputational damage, and regulatory compliance violations resulting from data breaches.
This threat is particularly harmful because the phishing emails appear to originate from trusted internal sources, making users more likely to click on malicious links and unknowingly provide their credentials. Compounding the issue, many organizations rely heavily on email authentication mechanisms that are effectively bypassed by this technique, leaving them vulnerable to exploitation.
What are the recommendations?
Barracuda strongly recommends organizations to take these steps to reduce the risk of exploitation and protect their critical infrastructure:
- Restrict Direct Send usage or disable Direct Send entirely. If it must be used for legitimate purposes, implement strict controls on which IP addresses can use this feature.
- Deploy advanced email security solutions that can detect and block phishing attempts beyond standard authentication checks.
- Enable multi-factor authentication (MFA) for all Microsoft 365 accounts to prevent credential theft from resulting in account compromise.
- Configure Microsoft 365 anti-spoofing policies to help identify and block spoofed internal emails.
- Implement DMARC with a policy of ‘reject’ for your domains to reduce the effectiveness of spoofing attempts.
How Can Barracuda Protect You Against This Threat?
Barracuda offers several solutions that can help protect organizations from Direct Send abuse and similar phishing attacks:
- Barracuda Impersonation Protection: Specifically designed to detect and prevent email spoofing and impersonation attacks, even when they appear to come from internal senders.
- Barracuda Managed XDR: Offers 24/7 monitoring and threat detection capabilities to identify suspicious email activities and potential account compromises. The service includes expert security analysts who can help detect and respond to phishing campaigns.
- Barracuda Security Awareness Training: Provides security awareness training to help employees recognize and report phishing attempts, reducing the likelihood of successful attacks.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.